whatisgithub

What is docker-swag?

linuxserver/docker-swag — explained in plain English

Analysis updated 2026-07-03

3,661DockerfileAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

In one sentence

SWAG is a single Docker container that bundles Nginx, automatic free SSL certificates, and brute-force IP blocking so you can safely expose self-hosted services to the internet without separate setup for each app.

Mindmap

mindmap
  root((docker-swag))
    Core Components
      Nginx reverse proxy
      Let's Encrypt SSL
      Fail2ban blocking
    Configuration
      Domain and email vars
      HTTP or DNS validation
      Certificate auto-renewal
    Use Cases
      Home server gateway
      Multi-service routing
      Intrusion blocking
    Tech Stack
      Docker
      Nginx
      Fail2ban
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Route all external traffic from one domain to a home media server, password manager, and home automation system without opening separate ports for each.

USE CASE 2

Automatically obtain and renew a free Let's Encrypt SSL certificate for your self-hosted app so browsers show the padlock icon.

USE CASE 3

Block IP addresses that repeatedly fail login attempts on your Nginx-proxied services using the bundled fail2ban configuration.

USE CASE 4

Set up a single public HTTPS entry point for a Raspberry Pi home server running multiple Docker apps on the local network.

What is it built with?

DockerNginxFail2banShell

How does it compare?

linuxserver/docker-swagp3terx/aria2-pro-dockertheprimeagen/ansible
Stars3,6613,723273
LanguageDockerfileDockerfileDockerfile
Last pushed2023-07-14
MaintenanceDormant
Setup difficultymoderateeasymoderate
Complexity3/52/52/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires a public domain name pointed at your server and either HTTP port 80 open or DNS provider API credentials for certificate validation.

GPL-2.0 license, you can use and modify it freely but must share the source code of any modified version you distribute.

So what is it?

SWAG, which stands for Secure Web Application Gateway, is a Docker container image that packages several web server tools into one pre-configured unit. Its main components are Nginx (a web server and reverse proxy), automatic SSL certificate management using Let's Encrypt and ZeroSSL, and fail2ban, a tool that blocks IP addresses after repeated failed login attempts. Docker is a system for running applications in isolated containers. With SWAG, you pull a single image and configure it with environment variables: your domain name, your email address, and whether you want to verify your domain through HTTP or through your DNS provider. The container then requests a free SSL certificate, sets itself up as a web server or reverse proxy for your services, and renews the certificate automatically before it expires. The reverse proxy feature is what many users rely on most. Instead of exposing multiple services (a media server, a home automation system, a password manager) directly to the internet on separate ports, you point all external traffic to SWAG, which routes requests to the right internal service based on the domain name or URL path. This avoids the need for each application to manage its own certificates and public-facing port. Fail2ban runs alongside Nginx and watches for suspicious patterns in the access logs, such as repeated failed authentication attempts. When it detects an attack pattern, it adds the offending IP address to a block list. SWAG supports x86-64 and ARM64 architectures and is maintained by LinuxServer.io, a community that publishes regularly-updated Docker images for self-hosted software. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Write a docker-compose.yml that sets up linuxserver/swag to proxy two services, Nextcloud on subdomain cloud.example.com and Jellyfin on media.example.com, using Let's Encrypt HTTP validation.
Prompt 2
How do I configure linuxserver/swag to use Cloudflare DNS validation for a wildcard SSL certificate? Show me the environment variables and the Cloudflare credentials file format.
Prompt 3
How does fail2ban work inside the SWAG container? How do I check which IPs are currently banned and manually unban one?
Prompt 4
I want to add a custom Nginx location block inside SWAG to proxy a new service at /app. Where do I put the config file so it survives container updates?

Frequently asked questions

What is docker-swag?

SWAG is a single Docker container that bundles Nginx, automatic free SSL certificates, and brute-force IP blocking so you can safely expose self-hosted services to the internet without separate setup for each app.

What language is docker-swag written in?

Mainly Dockerfile. The stack also includes Docker, Nginx, Fail2ban.

What license does docker-swag use?

GPL-2.0 license, you can use and modify it freely but must share the source code of any modified version you distribute.

How hard is docker-swag to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is docker-swag for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.